Back to Top


The purpose of this Privacy Information Technology Requirement (ITR) is to govern how Anne Arundel Community College manages the personal information for faculty, staff and students, and specific requirements that all individuals must meet in order to keep the confidentiality, integrity and availability of personal information. AACC will respect an individual’s fundamental rights and freedoms, in particular their right to the protection of personal data.


1. This Privacy ITR applies for all College sites and all users, including, but not limited to:

  • Employees
  • Students
  • Vendors and Contractors
  • Guests

2. This privacy ITR applies to automated and manual processing of information in AACC systems.


1. Personal Information: Any information concerning/related to an individual. Personal information includes (but not limited to) personally identifiable information, grades, home address, familial relations, life/biographical information, health, hobbies, electronic activity, geographic location.

2. Personally identifiable information: Any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means; data that can be used on its own to trace or identify a person. That may include, but not be limited to:

  • Name (in combination with other factors)
  • Full Social Security number
  • Tax identification numbers
  • Full date of birth
  • Driver’s license information
  • Passport information

3. Student: An individual (including high school students and Kids in College), that takes classes for credit or noncredit.


1. The College may use personal information and other data collected for:

  • Purposes of College required business processes.
  • Compliance with federal, state and local laws
  • Reporting requirements
  • Validation/verification of certifications and degrees
  • Legal mandates and law enforcement

2. AACC has the right to collect personal information from students and faculty for educational purposes and is the controller of all collected information in automated or manual formats (electronic and paper repositories).

3. AACC collects personally identifiable information from employees for administrative purposes.

4. Individuals have the right to know what personal information the college is collecting.

5. Individuals have the right to change incorrect information the college has collected.

6. Individuals have the right to anonymity, as allowed by laws of the United States and Maryland. AACC has the responsibility and authority under law to retain and maintain information.

7. Individuals have the right to nondiscrimination.

8. For minors under age 13, AACC complies with the Children’s Online Privacy Protection Act (COPPA).

9. AACC will never sell personal information. AACC will release personally identifiable information only as required by law and for reporting educational information. AACC will develop guidelines to enforce contractual documentation with third parties to never sell personal information.

10. AACC will secure personal information from unauthorized disclosure (loss of confidentiality) and modification (loss of integrity).

11. Individuals have the right to request the deletion of their personal information held by AACC. AACC has the responsibility and authority under law to retain and maintain information.

12. AACC reserves the right to use all its authority to identify and discipline persons who misuse or abuse Privacy ITR.

13. Required privacy statements will be included on the website.


1. AACC complies with requests from officials for release of information, as provided by the courts or in existing laws.

2. AACC, as required by federal and Maryland laws, maintains records that does not allow it to remove all personal information when requested by the individual.

3. AACC may release personal information for legal and law enforcement investigations.

4. Exceptions to this ITR should be submitted to the vice president of Information and Instructional Technology Division, through the director of Information Security for review and approval. If an exception is granted a compensating security control or safeguard will be documented.



Review Process

Information Technology Requirements will be reviewed every 12 months or sooner, if required. Guidelines and Processes will be reviewed every 24 months or sooner, if required.

Guideline Title: Information Technology Asset Management Information Technology Requirement

Guideline Owner: Vice President for Information and Instructional Technology

Guideline Administrator: Director, Information Security

Contact Information: John Williams,  

Approval Date: Jan. 8, 2024

Effective Date: Jan. 8, 2024

History: Adopted July 10, 2023

Applies to: Faculty, staff and students

Related Policies: N/A

Related Procedures: N/A

Related Guidelines: Red Flag Procedures

Forms: N/A

Relevant Laws:

  • Family Educational Rights and Privacy Act (20 U.S.C. § 1232g; 34 CFR Part 99)
  • Red Flags
  • CCPA
  • GDPR
  • NIST SP800-53
  • NIST SP800-171
  • MD Title 10A, 1301-1305